Google Authenticator 2FA - backup and recovery?

[vrdiver]

I use Google's Authenticator app on my phone to secure a number of different accounts but haven't really found a good solution to mitigate problems should I lose my phone.

Some accounts allow you to create a set of one-time emergency codes, which is OK as I store those in the relevant Keypass entry (so stored in a password protected encrypted file on an encrypted disk),

Other accounts (e,g, PayPal) either offer the option to add a second device to text codes to, or remain silent on the subject.

Ideally, I'd like to backup the phone and be able to restore Authenticator onto the replacement, but I read (a while ago) that that doesn't work.

What do others do?

VRD

[Infrasonic]

The Microsoft Authenticator app for Android recently got a 'cloud' backup facility on an update with a 'recovery' email address, I've not been into the details yet but it might do what you want.

As Google have their own backup sync to cloud facility (which I use) this might be on their radar for a future Authenticator update?

I bought a new Pixel 3a last week and did a cable copy transfer/update from my old Nexus 5. Unfortunately due to the state of the battery on the Nexus 5 it failed pretty quickly and I finished it off via a web sync. So I don't know if it had completed successfully via cable if the MS app would have transferred everything across automatically from the cloud backup. I had to manually re-log in with both of my MS accounts + passwords. AFAIK everything else was as is (authorised devices et al).

[djpeck1]

I use Authenticator Plus. It has automatic backup functionality to the cloud (I use Google Drive). Additionally you can manually backup to an encrypted file on your device.

If you lose your phone or just want to migrate to a new phone the whole process is very straightforward. I've done it a couple of times with no issues at all.

See here ... https://www.authenticatorplus.com/

I have no affiliation with the developers of this app.

[Julian]

Even if it was available I would never use a cloud backup for this. I actually do have the capability because I use an iOS app called Authy which is a clone of Google Authenticator and does offer online backup. It warns me about once every few months that I don't have backups enabled and I hit "Ignore" every time rather than enabling them. I don't use a backup because, although I am mostly OK storing stuff on the cloud, I view the 2FA as my last line of defence re security on my most critical accounts so I don't want to take any risks at all.

What I do is that when I am setting up a new 2FA site in Google Authenticator (or in my case Authy) I don't use the QR scanning method to set up the new site. For every site I have ever set up there has always been a link that says something like "set up manually" as an alternative to scanning the QR code with your camera (in some cases it might be a link identifying itself by saying something like "I don't have a camera" or similar). If you click that it will display a long-ish alphanumeric number that you need to enter into the app as the seed for the algorithm that Authenticator will use to generate the time-aligned numbers for the particular site you are setting it up for. Letting the camera scan the QR code is essentially just automatically entering that alphanumeric number for you.

As soon as the web site displays the number it wants me to enter to seed the 2FA I also record that seed number in an encrypted file on my PC which is of the form...

<Site Name 1> <Seed number 1>
...
<Site Name n> <Seed number n>

I also print out this file every time I add to it and store a hard-copy in my fire safe in case my PC were ever to be stolen.

Whenever I get a new phone I always set it up anew rather than restoring from a backup so I reinstall Authy (or in your case Google Authenticator) from the app store, get out my list of seed numbers, and manually add each site again using the seed codes that I have recorded. Since I only have 5 sites this only takes at most 10 minutes to do. Were you to lose your phone you would simply do what I do when setting up a new phone. The seed codes never change. I have re-entered them on at least 6 occasions. I also have the authenticator app on my iPad as well as my iPhone and do the same setup-from-scratch procedure whenever I upgrade my iPad hence I have done a fresh setup on quite a lot of devices/occasions and it has never failed to have me back up and running again.

In fact that's another advantage of actually seeing and recording the seed codes as opposed to simply using the QR code to automatically enter them without you ever knowing what they were. If you know the seed codes you can install and configure the authenticator app on as many devices as you want and as long as you enter the same seed codes on all devices they will all generate the exact same site-specific number sequence for all of your sites. That's also how I check I get it right, e.g. a couple of weeks ago when I got my new iPhone as I entered each new site/seed-code I opened the authenticator app on my iPad, had it generate the sequence for whatever site I had just set up anew on my iPhone, and had the iphone generate the code as well. I could then sit the iPad and iPhone app side by side and verify that my new iPhone was generating exactly the same numbers as my iPad (i.e. I hadn't mistyped the seed code when setting up the iPhone).

- Julian

[Infrasonic]

The Microsoft Authenticator app for Android recently got a 'cloud' backup facility on an update with a 'recovery' email address, I've not been into the details yet but it might do what you want.

Details here...https://www.zdnet.com/article/microsoft ... -recovery/

[Julian]

As a bit of extra background/warning....

I'm actually a lot less cautious than some about storing stuff online, for instance I use online backups and even password manager but my golden rule is that whatever provider I am using must allow me to use my own encryption key that only I know and that never leaves my PC so even if the online storage site is hacked the online servers don't have my decryption key.

In considering whether you are comfortable having your authenticator codes backed up online do consider that the 2FA is essentially simply another password that, if entered into Google Authenticator or any app implementing the same algorithm, will allow anyone to generate the required 2FA code to get into one of your sites (assuming they already know the user name, password, secure answers, etc). For instance, if my seed code for my Google mail account was "2h67 hwt0 ... 36rn" (it's actually 8 x 4-digit blocks) then anyone could download Google Authenticator onto their phone, set up an account with that seed, and then use their phone to generate the same 2FA numbers as my phone generates. That is why I don't want my seed codes anywhere where I can't be sure they are totally safe.

- Julian

[Infrasonic]

The other 2FA option is to go to a physical key, USB/NFC would cover both PC's and phones (that have NFC...).

If you want to read up on it all...https://www.google.com/search?q=U2+fa+f ... e&ie=UTF-8

I've been keeping tabs on this for a few years now, it's just getting to the stage where it is feasible in a mixed OS and device environment.

[Lanark]

The aspect you need to think about is not just losing the phone but someone going into a shady phone shop and porting your number away. The phone networks are not setup to be secure.
There are many who think this is not an accident and the powers that be have a back door into all the phone networks in the first place.

Physical keys are a great solution until they break.

[Infrasonic]

Physical keys are a great solution until they break.

So have more than one key then, in the same way that you have OS and data backups (on and offsite), a plan B for your mobile breaking/being lost or stolen (two mobiles on different networks for me) etc.etc...

[vrdiver]

What I do is that when I am setting up a new 2FA site in Google Authenticator (or in my case Authy) I ...<snip>...record that seed number in an encrypted file on my PC...

Just tried this using my old phone to create a second Authenticator instance. Works fine - thank you for the tip.

I have a dozen or so accounts that use 2FA in this way, so it's manageable. Rather than record just the seed number, I've taken a screen image of the QR code as well as copying the text seed number, which I've then saved in an rtf file within my keepass database. That seems a bit easier than retyping e.g. Amazon's 52 character code, but I have the text if the QR image doesn't work.

I think I'll stay with the Google app as I trust them to be around for a while and with this workaround, combined with the frequency of needing to rebuild the entries, it feels like the path of least resistance / best security. Should I wish to switch authenticator apps I also now have the correct seed data with which to do so, without having to disable/re-enable each site's security.

VRD

[Julian]

What I do is that when I am setting up a new 2FA site in Google Authenticator (or in my case Authy) I ...<snip>...record that seed number in an encrypted file on my PC...

Just tried this using my old phone to create a second Authenticator instance. Works fine - thank you for the tip.

I have a dozen or so accounts that use 2FA in this way, so it's manageable. Rather than record just the seed number, I've taken a screen image of the QR code as well as copying the text seed number, which I've then saved in an rtf file within my keepass database. That seems a bit easier than retyping e.g. Amazon's 52 character code, but I have the text if the QR image doesn't work.

I think I'll stay with the Google app as I trust them to be around for a while and with this workaround, combined with the frequency of needing to rebuild the entries, it feels like the path of least resistance / best security. Should I wish to switch authenticator apps I also now have the correct seed data with which to do so, without having to disable/re-enable each site's security.

VRD

You're welcome.

Good idea on the QR code. Since my encrypted file is actually an Excel spreadsheet I could easily embed an image as the last active cell of each row/entry.

I agree on the trust thing. As I was typing my initial reply I had this nagging thought running through my head as to why I ever switched from Google's Authenticator (GA) app to Authy, I did use GA initially, but I switched a few years ago so I can't remember. As already discussed it wasn't for the online backup feature! I think it might have been because at the time Authy supported restricting access to the app via the on-phone biometric authentication (e.g. TouchID or FaceID on an iPhone) whereas GA didn't and that extra level of security seemed a good idea to me. If GA supports biometric app locking now I might move back.

I'm encouraged to hear you have "a dozen or so accounts" that use GA. I'm always left wishing that more sites that I use offered GA codes as a 2FA method because once its set up on a phone it's so convenient. All I have at the moment is 2 Google mail accounts, Lastpass and HMRC.

- Julian

[Infrasonic]

Don't know how accurate this is, but as a loose guide it might be OK...https://twofactorauth.org/

List of websites and whether or not they support 2FA.

[AF62]

Don't know how accurate this is, but as a loose guide it might be OK...https://twofactorauth.org/

Seems to be reasonable. It indicated that Paypal had updated to support Authenticators when they only used to do SMS, and sure enough they do now.

[Infrasonic]

There's a good 2FA tutorial/FAQ here for Proton Mail...https://protonmail.com/support/knowledg ... ntication/